Scopes and Filters

Scopes and Filters


Suppose you’re a typical English-speaking American and you get the opportunity to live and work in Rome for a year. Could you survive without learning to speak Italian? Maybe. Would you be better off if you took a little time to sit down and learn some Italian? Definitely. When in Rome, do as the Romans do.


Oh: and talk like the Romans talk.


True story. Several years ago, one of the authors accompanied his son to Japan (his son was playing on an all-star baseball team that was touring the Tokyo area). One night the author was talking to a Japanese mother whose family was serving as a “host family” for two nights. (Instead of staying in hotels, the players stayed with host families.) This mother was a trifle nervous about hosting three American children: would they like the food; would they be bored; would they be able to communicate? After chatting in English the author – who had learned a little Japanese prior to the trip – wished the woman “Good luck” in Japanese. The mother just stood and stared at him. “I’m sorry,” said the author. “I was trying to say ‘Good luck,’ but I guess I said it wrong.” “Oh,” said the woman. “I get it: you were speaking Japanese. No, you said it correctly. You’re an American, though, so I never expected you to speak Japanese. I assumed you were speaking English, so I had no idea what you were saying.”


As it turns out, Microsoft Lync Server 2010 introduces a whole new language and a whole new vocabulary all its own. Can you survive without learning this new vocabulary? Maybe. Would you be better off if you took a little time to sit down and learn this new vocabulary? Well, you know what they say: when in Rome ….


With that in mind, let’s take a minute and talk about three important new terms being introduced along with the new Lync Server implementation of Windows PowerShell: identities, scopes, and filters.


Oh, my!




At the risk of tooting our own horns, we went to great lengths to explain identities in our Identities article, which means that we’re not going to do it again here. Instead, let’s move on to Scopes.


Man, if all the sections turn out like this one this article will be a cinch to write.




To explain what a scope let’s start by listing the available scopes:


         Global. The global scope is for configuration settings or policies you want enforced throughout your entire Microsoft Lync Server infrastructure. For example, when you configure a policy at the global scope that policy will be applied to every user in the organization. (Well, unless you have configured a policy “downstream.” But more on that in a minute.)

         Site. The site scope is for, well, sites. In Lync Server 2010, sites are typically based on geographic locations: a Redmond site, a Dublin site, etc.

         Service. The service scope represents a service. For example, the Registrar service is one Microsoft Lync Server service; user services is another. In the new Lync Server architecture, a given service might be carried out by a single computer or by all the computers in a pool.

         Tenant. The Tenant scope deals with Lync Server as a service (the so-called “in-the-cloud” scenario). At this point in time the Microsoft Lync Server cmdlets cannot be used “in the cloud.” In turn, that means that it is irrelevant to our needs, and thus won’t be discussed in this article. We mention this only because – as you’ll see in the next section – you might stumble upon a reference to the Tenant scope when trying to determine the allowed scopes for an object.

         Per-User. To be honest, “per-user” isn’t really the name of the scope, it’s more a description of the scope. (We have yet to come up with a good name for this scope.) The basic concept behind the per-user scope is pretty straightforward. The per-user scope (which applies only to policies, and not to configurations) is reserved for policies that can be directly applied to a user or a group of users. This makes the per-user (or, more simply, “user”) scope very different from the global, site, and service scopes, all of which are tied to your Microsoft Lync Server infrastructure. For example, if you don’t have a site named Redmond then you can’t create a policy at the site:Redmond scope; a site-scoped policy must be tied to an actual site. The Identity of a site-scoped policy or a service-scoped policy is simply the Identity of the site or service – period.

Oh, and each site is limited to one voice policy, one client policy, and so on: you can’t have two site-scoped voice policies at the Redmond site.

By comparison, you can create a per-user policy and give it pretty much any Identity. That’s because these policies do not have to be anchored to real objects such as sites or services. In turn, that means you can create as many per-user voice policies as you want, even if you don’t ever actually use those policies.


Scopes are primarily used for policy (and configuration) resolution. For example, if a user wants to make a phone call Lync Server needs to check to see such things as which voice policy is used to determine how (or even if) the user makes a call. Microsoft Lync Server applies policies and configurations in this order:


1.    First, the system checks to see if something has been applied at the user scope. If so, then that policy (configurations can’t be applied at the user scope) is used.

2.    If nothing can be found at the user scope then the system checks to see if something has been applied at the service scope. If so, then that policy or configuration is applied.

3.    If nothing can found at the service scope then the system checks to see if something has been applied at the site scope. If so, then that policy or configuration is applied

4.    If nothing can be found at the site scope then the system checks to see if something has been applied at the global scope. If so, then that policy or configuration is applied.


Note that there will always be a global policy or a global configuration setting. Global policies and configuration settings are automatically created for you when you install Microsoft Lync Server 2010, and these global objects can never be removed.




Got all that? Good, because now we can talk about how you specify an identity and, equally important, when you specify an identity.


Important. This discussion pertains to Microsoft Lync Server policies and configurations; it does not pertain to user accounts. For more information on user account identities see Retrieving Active Directory and Microsoft Lync Server User Accounts.


As we explained in the Identities section of this manual, identities are specified at the time you create a new object; the identity you give that object will depend on both the type of object and on the scope of the object. For example, suppose you want to create a new conferencing policy for use at the site level; what identity will you give that policy? That’s an easy one: a site policy always has an Identity that consists of the string value site: followed by the name of the site. For example, if this conferencing policy is to be assigned to the Redmond site then you would use the following code to create the new policy:


New-CsConferencingPolicy –Identity site:Redmond


OK, then what about a policy that’s supposed to be assigned to a service? That’s another easy one: the Identity is simply the string value service: followed by the service name (i.e., Registrar) followed by the fully qualified domain name of the pool where that service is located. You know, like this:


New-CsClientVersionPolicy –Identity


As you can see, when you are working at the site scope or the service scope there is no need to assign (or grant) a policy; instead, the policy is automatically assigned based on the Identity you give it. Give a policy the Identity site:Redmond and it will automatically be assigned to the Redmond site.


Note. You might have noticed we skipped the Global policy. Lync Server ships with default policies and configurations at the global scope. However, and because you can’t re-create a policy or configuration that already exists, you won’t be able to call a New cmdlet using the Global identity. You can use verbs like Get and Set when working with a global policy or a global collection of configuration settings, but you’ll receive an error if you try to create a new global object.


That leaves us with one last identity/scope to deal with: per-user. Per-user policies (and, again, only policies can be applied at the per-user scope) represent the one time (for the most part) you get to be a little creative: with per-user policies, you get to pick out the Identity. (Hurray!) That’s because per-user policies aren’t automatically assigned to a portion of the Microsoft Lync Server infrastructure; in fact, per-user policies aren’t automatically assigned to anyone or anything. Upon creation they simply exist; they do nothing more than wait for you to explicitly assign them to a user or group of users.


So what does all that look like? It looks a little something like this:


New-CsConferencingPolicy –Identity RedmondConferencingPolicy


In this case, the Identity consists of a string value that is the policy “name”: RedmondConferencingPolicy. You can give your user policy any name you wish.


Note. Why did we say “name,” with the word name in quotation marks? Well, this value isn’t really a name; it’s – well, we don’t know exactly what to call it. When you grant a policy to a user one of the parameters you have to specify is –PolicyName. The value for the parameter is the policy “name,” the same as the Identity:


Grant-CsConferencingPolicy –Identity “Pilar Ackerman” –PolicyName RedmondConferencingPolicy


So why not just call this the policy name and be done with it? Well, the problem is that some policies (such as voice policies) actually have a Name property; to make matters worse, the true policy Name does not have to be the same as the policy “name.” But the Name property is really more of a description; it is not the value supplied when you assign a policy. Supply a Name (description) if you want. But keep your focus on the “name” that makes up the Identity.


In other words, the Name is not the name. And who is on first?


Is there a way to determine the allowed scopes for an object?


Yes: scope information is included in the Help topic for each cmdlet where this information is relevant. You can determine the allowed scopes simply by perusing the help file for a given cmdlet. That’s the recommended way to determine the allowed scopes for an object.


Note. Before we go any further we should point out a small oddity in the scoping of per-user policies. Early in the development of Lync Server 2010 the per-user scope was called the tag scope. Why “tag?” Well, we never did figure that out. But in spite of the fact that everyone agreed that “tag” wasn’t a particularly great scope name, it didn’t go away completely. For example, “tag” hasn’t been removed from the error messages; in addition, when you call a cmdlet like Get-CsVoicePolicy the Identity property is still displayed like this:




So in spite of the fact that we’re not calling this a tag policy, things still appear as tag policies.


Suppose you type the command Get-Help New-CsConferencingPolicy –full | more. Do that and then scroll down until you find the section labeled Parameters. In that section you should find the following information:


-Identity <XdsIdentity>

    Unique identifier for the conferencing policy to be created.

    Conferencing policies can be created at the site or per-use

    r scopes.


Notice that the global scope isn’t mentioned. That’s because a global conferencing policy always exists, you can’t create a new one. If you look at the description of the Identity parameter in the help for Set-CsConferencingPolicy, you’ll see this:


-Identity <XdsIdentity>

    Unique identifier for the conferencing policy to be modified.

    Conferencing policies can be configured at the global, site,

    or per-user scopes.





Comments (1)
  1. Scopes and Filters
    well done and thank you

Comments are closed.

Skip to main content